b"INFORMATION ACCESS PROGRAM\n\n\n\n\n           U.S. Department of Energy\n           Office of Inspector General\n           Office of Inspections and Special Inquiries\n\n\n\n\n Inspection Report\n Office of Intelligence and\n Counterintelligence Internal Controls\n Over the Department of Energy\xe2\x80\x99s\n Sensitive Compartmented Information\n Access Program\n\n\n\n\n DOE/IG-0790                             March 2008\n\x0c\x0c\x0cOFFICE OF INTELLIGENCE AND COUNTERINTELLIENCE\nINTERNAL CONTROLS OVER THE DEPARTMENT OF\nENERGY\xe2\x80\x99S SENSITIVE COMPARTMENTED INFORMATION\nACCESS PROGRAM\n\n\nTABLE OF\nCONTENTS\n\n              OVERVIEW\n\n              Introduction and Objective            1\n\n              Observations and Conclusions          2\n\n\n              DETAILS OF FINDINGS\n\n              Background                            3\n\n              Removal from SCI Roster               3\n\n              Administrative Debriefing             4\n\n              Employment Status Change              5\n\n              Incomplete Nondisclosure Agreements   6\n\n\n              RECOMMENDATIONS                       7\n\n\n              MANAGEMENT COMMENTS                   7\n\n\n              INSPECTOR COMMENTS                    7\n\n\n              APPENDICES\n\n              A. Scope and Methodology              8\n\n              B. Related OIG Reports                9\n\n              C. Management Comments                10\n\x0cOverview\n\nINTRODUCTION     The Department of Energy (DOE) is 1 of the 16 members of the\nAND OBJECTIVES   U.S. Government\xe2\x80\x99s Intelligence Community and serves as the\n                 premier technical intelligence resource in the areas of nuclear\n                 weapons, nonproliferation, energy, science, and technology and\n                 emerging nuclear threats. In addition to providing intelligence\n                 analyses, DOE offers specialized technology development and\n                 operational support to both intelligence and law enforcement\n                 agencies. DOE accomplishes its intelligence mission by drawing\n                 from broad technical expertise located throughout the Department\n                 complex, including the National Laboratories, and uses Sensitive\n                 Compartmented Information (SCI) that is shared between members\n                 of the Intelligence Community. SCI is a designation given to\n                 classified information derived from intelligence sources, methods,\n                 or analytical processes that requires formal access control systems.\n\n                 DOE\xe2\x80\x99s Office of Intelligence and Counterintelligence (IN) is\n                 responsible for granting SCI access to DOE Federal and contractor\n                 employees who need access to such intelligence information.\n                 Individuals must have an active Top Secret or \xe2\x80\x9cQ\xe2\x80\x9d clearance to be\n                 granted SCI access authorization.\n\n                 The objective of this inspection was to determine if IN had\n                 adequate internal controls for granting, maintaining, and\n                 terminating SCI access authorizations to DOE Federal and\n                 contractor employees. As of December 2006, there were 5,240\n                 SCI access holders across the DOE complex. This review focused\n                 on the 969 Federal and contractor employees listed on the\n                 Headquarters SCI access roster. The Office of Inspector General\n                 (OIG) is currently completing a second review of internal controls\n                 over SCI access from a field element perspective.\n\n\n\n\nPage 1                            Office of Intelligence and Counterintelligence\n                                  Internal Controls over the Department of\n                                  Energy\xe2\x80\x99s Sensitive Compartmented\n                                  Information Access Program\n\x0cOBSERVATIONS AND   We concluded that IN did not have adequate internal controls over\nCONCLUSIONS        its SCI access program. From a judgmental sample of 199 of the\n                   969 individuals on the Headquarters SCI access roster, we found\n                   that:\n\n                   \xe2\x80\xa2 IN was not timely in removing individuals from the SCI access\n                     roster who no longer needed SCI access: 17 individuals who\n                     had already left the Department or had been debriefed from SCI\n                     access remained on the Headquarters SCI roster;\n\n                   \xe2\x80\xa2 Five individuals apparently were \xe2\x80\x9cadministratively debriefed\xe2\x80\x9d\n                     from SCI access by IN without that office making all attempts\n                     to contact those individuals to ensure they received instructions\n                     regarding their continued obligation to safeguard SCI.\n                     (Administrative debriefing occurs when an official from IN\n                     annotates the individual\xe2\x80\x99s Debriefing Acknowledgement\n                     indicating that he/she is \xe2\x80\x9cUnavailable to Sign\xe2\x80\x9d);\n\n                   \xe2\x80\xa2 Four individuals did not properly rejustify their need for\n                     continued SCI access as a result of job or employment status\n                     change; and,\n\n                   \xe2\x80\xa2 Five nondisclosure agreements for SCI access, which serve as\n                     legal agreements between the individual and the Government,\n                     were not properly signed or witnessed.\n\n                   Past reviews by the OIG at various DOE sites have identified\n                   weaknesses in the internal controls designed to ensure individuals\xe2\x80\x99\n                   security clearances and accesses are terminated appropriately and\n                   expeditiously. (A list of the associated reports is located in\n                   Appendix B.) IN established an SCI debriefing policy in response\n                   to one of those reviews. However, based upon our findings during\n                   this review, we remain concerned that IN is not following existing\n                   policies and believe that IN needs to establish additional internal\n                   controls, such as periodic internal reviews, to ensure that\n                   requirements are followed regarding granting, maintaining, and\n                   terminating SCI access.\n\n\n\n\nPage 2                                              Observations and Conclusions\n\x0cDetails of Findings\n\nBACKGROUND            We reviewed a judgmental sample of 199 (20 percent) of the 969\n                      Federal and contractor employees listed on the Headquarters SCI\n                      access authorization roster as of December 2006.\n\n                      Pursuant to DOE Order 5639.8A, \xe2\x80\x9cSecurity of Foreign Intelligence\n                      Information and Sensitive Compartmented Information Facilities,\xe2\x80\x9d\n                      the Department must implement Director of Central Intelligence\n                      Directives (DCIDs) 1/19 and 6/4 for the protection of SCI.\n                      DCID 1/19, \xe2\x80\x9cSecurity Policy for Sensitive Compartmented\n                      Information and Security Policy Manual,\xe2\x80\x9d establishes the policies\n                      and procedures for the security, dissemination, and use of SCI.\n                      DCID 6/4, \xe2\x80\x9cPersonnel Security Standards and Procedures\n                      Governing Eligibility for Access to Sensitive Compartmented\n                      Information,\xe2\x80\x9d establishes the standards, procedures, and security\n                      programs for the protection of SCI.\n\n                      As a result of a previous OIG report published in 2006, IN\n                      produced the \xe2\x80\x9cSensitive Compartmented Information Debriefing\n                      Policy No. 001-06.\xe2\x80\x9d This policy established criteria and guidelines\n                      to administer debriefings, including administrative debriefings.\n\nREMOVAL FROM          We found that IN was not timely in removing individuals from the\nSCI ROSTER            SCI access roster who no longer needed SCI access. Specifically,\n                      17 individuals who had already left the Department or had been\n                      debriefed from SCI access remained on the Department\xe2\x80\x99s SCI\n                      roster. DCID 1/19 states that when a previously established need-\n                      to-know no longer exists due to reorganization, reassignment,\n                      change in duties, or any other reason, the SCI access shall be\n                      cancelled and the individual debriefed from SCI. Debriefing is the\n                      final instruction provided to individuals regarding their continued\n                      obligation for safeguarding SCI, as defined by DCID 6/4. An IN\n                      official told us that an individual is terminated from SCI access\n                      when the individual is debriefed.\n\n                      We determined that 14 of the 17 individuals had left DOE but had\n                      not been debriefed and removed from the SCI access roster. Based\n                      on the separation dates, these individuals remained on the SCI\n                      roster between 2 months and 64 months after their departure or the\n                      termination of their DOE clearance. In one instance, IN received a\n                      request from the National Nuclear Security Administration to delay\n                      removal of an individual from the SCI roster for a few months and\n                      allowed that individual to remain on the roster after his departure\n                      from DOE. However, IN did not follow up on the issue, and the\n                      individual remained on the roster 1\xc2\xbd years later, until we identified\n                      the lapse. Further, as noted previously, a Q or Top Secret\n\n\n\nPage 3                                                                Details of Findings\n\x0c                 clearance is a prerequisite to having SCI access. We were told by\n                 IN that if a Q clearance were terminated, then the SCI access\n                 would also be discontinued immediately. Yet we determined that\n                 3 of the 14 individuals had their Q clearances terminated in August\n                 2001, June 2006, and September 2006, respectively. The\n                 individual whose Q clearance was terminated in August 2001 was\n                 detailed to DOE from another agency and should have been\n                 removed from DOE\xe2\x80\x99s SCI roster when he left. Responsible IN\n                 officials were unaware of the detailee\xe2\x80\x99s departure until we brought\n                 the issue to their attention.\n\n                 Finally, we identified that the remaining 3 of the 17 individuals\n                 from the roster had been debriefed from SCI and had signed the\n                 requisite out-processing SCI nondisclosure agreement, yet they\n                 were still listed as holding SCI access authorizations. These\n                 individuals remained on the SCI roster between 9 and 27 months\n                 after having been debriefed from SCI. An IN official agreed that\n                 these individuals should not have been on the SCI roster.\n\n                 The Intelligence Community maintains a database of the current\n                 status of individuals\xe2\x80\x99 clearances and SCI accesses. Failure to\n                 remove DOE individuals from the SCI roster could result in\n                 inaccurate reporting to the Intelligence Community and cause other\n                 agencies to rely on inaccurate clearance and access information,\n                 resulting in individuals potentially gaining access to SCI with\n                 expired authorizations.\n\nADMINISTRATIVE   We found that five individuals apparently were administratively\nDEBRIEFING       debriefed from SCI access by IN without IN making all attempts to\n                 contact those individuals to ensure they received instructions\n                 regarding their continued obligation to safeguard SCI.\n\n                 Debriefing from SCI is intended to remind individuals of their\n                 continued obligation to safeguard SCI and to have them sign a\n                 nondisclosure agreement. Pursuant to DCID 6/4, the debriefing\n                 includes, among other things, reading appropriate sections of U.S.\n                 laws regarding espionage and unauthorized disclosure of classified\n                 information; acknowledging lack of possession of any documents\n                 containing SCI; and agreeing to report to the Federal Bureau of\n                 Investigation information regarding any attempt by an individual to\n                 solicit classified information. IN\xe2\x80\x99s \xe2\x80\x9cSensitive Compartmented\n                 Information Debriefing Policy No. 001-06\xe2\x80\x9d states that all attempts\n                 should be made for a personal debriefing (in-person, by telephone,\n                 or by mail) and that administrative debriefings should only be\n                 performed under extenuating circumstances, such as medical\n                 illness or death. Administrative debriefing occurs when an official\n\n\nPage 4                                                         Details of Findings\n\x0c                from IN annotates the individual\xe2\x80\x99s Debriefing Acknowledgement\n                indicating that he/she is \xe2\x80\x9cUnavailable to Sign.\xe2\x80\x9d\n\n                In five instances, when the OIG informed an IN official that there\n                were individuals who had left DOE and were still on the SCI\n                roster, the IN official contacted the program offices that had\n                employed the individuals and verified that the individuals had left\n                DOE and should no longer have been on the SCI roster.\n\n                Regarding two of these individuals, the IN official, in the presence\n                of the OIG, signed the debriefing forms stating that the individuals\n                were administratively debriefed, without making any further\n                attempt to locate these individuals for an actual debriefing.\n\n                Regarding the other three individuals, we had concerns that they\n                were similarly administratively debriefed after we identified that\n                they were still on the SCI roster. Although we did not observe the\n                action taken by the IN official to follow up on the individuals\xe2\x80\x99\n                unsigned debriefing forms, subsequently we observed that all three\n                forms were simply signed by an IN official. This was done within\n                one day of IN having been notified by the OIG that the individuals\n                should have been removed from the SCI roster. The forms were\n                not signed by the individuals, there was no statement on each\n                debriefing form that the individual was unavailable to sign for the\n                debriefing, and there was nothing in the files to indicate IN had\n                made any attempts to locate the individuals.\n\nEMPLOYMENT      We found that four individuals did not properly rejustify their need\nSTATUS CHANGE   for continued SCI access as a result of job or employment status\n                change. These employees had transferred internally within DOE\n                or had changed from Federal to contractor employee status.\n                DCID 1/19 states that when a previously established need-to-know\n                no longer exists due to reorganization, reassignment, change in\n                duties, or any other reason, the SCI access shall be cancelled and\n                the individual debriefed from SCI. We were told by an IN official\n                that if an individual transfers to another program office, becomes a\n                contract employee, or has changed personnel status, that\n                individual\xe2\x80\x99s need for SCI must be rejustified or terminated.\n\n                We were told by an IN official that one way that IN can determine\n                a change in personnel status is through self-reporting during the\n                biennial SCI security refresher training. Despite this apparent\n                safeguard, one of the individuals we had identified had transferred\n                to another program office more than two years earlier and had\n                subsequently attended SCI refresher training. After we identified\n\n\n\nPage 5                                                         Details of Findings\n\x0c                the issue, IN determined that the individual no longer needed SCI\n                access, and he was subsequently debriefed.\n\n                The second employee we identified had retired from Federal\n                service in 2002, became a contract employee in the same office\n                doing the same work, but did not have an SCI rejustification, as\n                required. An IN official agreed that the employee\xe2\x80\x99s office should\n                have rejustified the individual\xe2\x80\x99s SCI access.\n\n                The third employee we identified had transferred to another\n                program office several months prior. IN officials were unaware of\n                this personnel change and subsequently had the individual provide\n                another justification for maintaining SCI access.\n\n                The fourth employee we identified had transferred to another\n                program office, and the rejustification document submitted for the\n                employee was signed by his supervisor, who did not have SCI\n                access. DCID 1/19 states that a \xe2\x80\x9cneed-to-know\xe2\x80\x9d determination\n                should be made by an authorized individual, having the appropriate\n                security clearances and access approvals, certifying that a\n                prospective SCI recipient requires access to specific classified\n                information to perform his duty. Upon our inquiry, IN verified\n                that the individual\xe2\x80\x99s supervisor did not have SCI access and could\n                not have properly made the request. IN subsequently approved a\n                properly executed rejustification request for the individual.\n\nINCOMPLETE      We found that five nondisclosure agreements for SCI access,\nNONDISCLOSURE   which serve as legal agreements between the individual and the\nAGREEMENTS      Government, were not properly signed or witnessed. In three\n                instances, the portion of the nondisclosure agreement form\n                acknowledging an understanding of the responsibilities for holding\n                SCI access was not signed by the individuals, as required. The\n                remaining two nondisclosure agreements were not signed by an IN\n                witness and the section of the form acknowledging security\n                briefing indoctrination was not signed by the individual receiving\n                the SCI access.\n\n                DCID 1/19 states that, as a provision of access to SCI, individuals\n                must sign an authorized nondisclosure agreement and that failure\n                to do so is cause for denial or revocation of existing SCI access.\n                The nondisclosure agreement serves as a legal agreement between\n                the individual and the Government that the individual has been\n                granted SCI access and that the individual understands his\n                obligations and the criminal penalties for any unauthorized\n                disclosure of SCI. An IN official agreed that the forms should\n\n\n\nPage 6                                                         Details of Findings\n\x0c                  have been properly signed and subsequently had the individuals\n                  sign and properly complete the nondisclosure agreements.\n\nRECOMMENDATIONS   We recommend that the Director, Office of Intelligence and\n                  Counterintelligence, ensures that the policies for granting,\n                  maintaining, and terminating SCI access are followed so that:\n\n                  1. Individuals no longer requiring SCI access are removed from\n                     the Department\xe2\x80\x99s SCI roster on a timely basis;\n\n                  2. Debriefings are completed in accordance with IN policy;\n\n                  3. Nondisclosure agreements are properly executed; and\n\n                  4. A periodic review of SCI access holders is accomplished at\n                     Headquarters and throughout the Department complex to\n                     ensure that all SCI access program requirements, including\n                     both employment status and rejustification of access, are being\n                     followed.\n\nMANAGEMENT        In comments to a draft version of this report, IN management\nCOMMENTS          concurred with our recommendations and identified corrective\n                  actions. Management\xe2\x80\x99s comments are included in their entirety at\n                  Appendix C.\n\nINSPECTOR         We found management\xe2\x80\x99s comments to be responsive to our\nCOMMENTS          recommendations.\n\n\n\n\nPage 7                                  Recommendations\n                                        Management and Inspector Comments\n\x0cAppendix A\n\nSCOPE AND     We conducted our inspection fieldwork between December 2006\nMETHODOLOGY   and May 2007. We interviewed officials from DOE\xe2\x80\x99s Office of\n              Intelligence and Counterintelligence and DOE\xe2\x80\x99s Office of Health,\n              Safety and Security. We reviewed applicable policies and\n              procedures pertaining to SCI access. We obtained an SCI roster of\n              DOE Headquarters individuals and reviewed the SCI access\n              personnel files of select individuals on the SCI roster.\n\n              As part of our review, we evaluated implementation of the\n              \xe2\x80\x9cGovernment Performance and Results Act of 1993\xe2\x80\x9d in the context\n              of activities included in our review. We did not identify any\n              performance measure issues regarding DOE\xe2\x80\x99s SCI access program.\n\n              This inspection was conducted in accordance with the \xe2\x80\x9cQuality\n              Standards for Inspections\xe2\x80\x9d issued by the President\xe2\x80\x99s Council on\n              Integrity and Efficiency.\n\n\n\n\nPage 8                                                Scope and Methodology\n\x0cAppendix B\n\nRELATED OIG   The following OIG reports involve work similar to this inspection:\nREPORTS\n                \xe2\x80\xa2 \xe2\x80\x9cSelected Aspects of the East Tennessee Technology Park's\n                  Security Clearance Retention Process\xe2\x80\x9d (DOE/IG-0779,\n                  October 2007);\n\n                \xe2\x80\xa2 \xe2\x80\x9cBadge Retrieval and Security Clearance Termination at\n                  Sandia National Laboratory-New Mexico\xe2\x80\x9d (DOE/IG-0724,\n                  April 2006);\n\n                \xe2\x80\xa2 \xe2\x80\x9cSecurity Clearance Terminations and Badge Retrieval at the\n                  Lawrence Livermore National Laboratory\xe2\x80\x9d (DOE/IG-0716,\n                  January 2006);\n\n                \xe2\x80\xa2 \xe2\x80\x9cSecurity and Other Issues Related to Out-Processing of\n                  Employees at Los Alamos National Laboratory\xe2\x80\x9d\n                  (DOE/IG-0677, February 2005);\n\n                \xe2\x80\xa2 \xe2\x80\x9cPersonnel Security Clearances and Badge Access Controls\n                  at Selected Field Locations\xe2\x80\x9d (DOE/IG-0582, January 2003);\n                  and\n\n                \xe2\x80\xa2 \xe2\x80\x9cPersonnel Security Clearances and Badge Access Controls\n                  at Department Headquarters\xe2\x80\x9d (DOE/IG-0548, March 2002).\n\n\n\n\nPage 9                                                   Related OIG Reports\n\x0cAppendix C\n\n\n\n\nPage 10      Management Comments\n\x0cAppendix C (continued)\n\n\n\n\nPage 11                  Management Comments\n\x0cAppendix C (continued)\n\n\n\n\nPage 12                  Management Comments\n\x0c                                                                    IG Report No. DOE/IG-0790\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\xe2\x80\x99 requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\xe2\x80\x99s overall\n   message clearer to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland-Smith at (202) 586-7828.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n                                        http://www.ig.doe.gov\n\n       Your comments would be appreciated and can be provided on the Customer Response Form\n                                      attached to the report.\n\x0c"